search

okta / okta-auth-js

The official js wrapper around Okta's auth API
Other
437 stars 255 forks source link

Validate claims does not follow OpenID spec for audience validation #1480

Closed nholik closed 5 months ago

nholik commented 6 months ago

Describe the bug

Per the openid spec:

aud REQUIRED. Audience(s) that this ID Token is intended for. It MUST contain the OAuth 2.0 client_id of the Relying Party as an audience value. It MAY also contain identifiers for other audiences. In the general case, the aud value is an array of case-sensitive strings. In the common special case when there is one audience, the aud value MAY be a single case-sensitive string.

The library assumes the common special case only of one audience. It should allow there to be an array of audience claims as well and check that at least one matches.

Reproduction Steps?

Use the SDK with an issuer that sends back an array of audience claims in an id token. Validation will fail, even if there is a valid audience in the aud claim.

SDK Versions

7.5.0

Additional Information?

No response

nholik commented 6 months ago

I have submitted a PR with tests for this here: https://github.com/okta/okta-auth-js/pull/1481

shuowu-okta commented 6 months ago

@nholik Thanks for reporting the issue and PR! We will have the PR reviewed and release the change once it's merged.

Internal Ref: OKTA-678622

jaredperreault-okta commented 5 months ago

Released in 7.5.1 https://github.com/okta/okta-auth-js/releases/tag/okta-auth-js-7.5.1